The Ultimate Guide to GDPR for U.S. Healthcare Vendors

What is the GDPR?

The General Data Protection Regulation (GDPR) represents a change in how personal data for any subject of the European Union (EU), including the United Kingdom, may be collected and maintained. It applies to residents, as well as citizens, of the EU. The GDPR goes into effect on May 25, 2018. At that time, companies may be fined up to 4% of their global annual revenue for GDPR violations.

There is still some debate over exactly how the GDPR affects B2B companies. In particular, there are differing interpretations over whether work email addresses are considered “personal data.” In my view, wherever the GDPR is unclear, it is better to err on the side of caution. This is especially so considering many B2B databases contain contacts’ personal emails. Other personal data can wind up in your database, too, such as when people register for trade shows with their personal information, which you collect when you scan their badges.

When it comes to data privacy in Europe, you need to be careful and thorough. Errors in getting compliant can be costly. A case in point: Honda Motor Europe was fined for a re-engagement campaign intended to cleanse its database so it would be compliant with another data privacy law.

Most importantly for U.S. healthcare vendors, HIPAA compliance is not sufficient to ensure GDPR compliance.

Why should the GDPR matter to medical vendors and healthcare tech companies – if they only work in the US?

A lot of American companies in the healthcare sector are under the false impression that the GDPR will not impact them. While it is true that companies working only within the United States will not be as affected as those who work in Europe, the GDPR still poses risks for them.

Here’s a simple scenario that any B2B healthcare vendor can relate to … your company attends a large trade show where the attendees come from all over the world. You only work in the United States but your staff scan the IDs of anyone who comes to the booth. Plus, some attendees look you up online and download your white paper. Others sign up for your newsletter. Either way, they are now all in your database, including those who are from the EU … and your company is now on the hook for maintaining their data in compliance with the GDPR.

In addition to trade shows, purchased lists can pose a risk. Yes, yes, I know marketers hate to admit they purchase lists, but it is common practice in the B2B healthcare sector. You may specify country but that does not mean you get what you asked for. I have seen companies purchase lists of tens of thousands of contacts, only to realize months later that they included entire industries they had not intended.

(T)he GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data.
International Commissioner’s Office (ICO)

Adding a deeper level of complexity to this issue is the fact that even IP addresses are considered protected personal data under the GDPR. This means that any website tracking done through your marketing automation or analytics platforms can put you at risk.

Clearly, these issues impact your Marketing and Data Management teams. However, it is critical that your Sales and Business Development teams also understand the impact, because the last thing you need is to find out that they are maintaining separate contact lists that are not in compliance.

Food for thought: Although American data privacy standards are significantly different from those of Europe, it is not unreasonable to assume that the higher standard of the EU will eventually become the norm worldwide.

What does this mean for American healthcare vendors and healthcare tech companies?

Marketing and Sales

Your Marketing team will be directly impacted by the GDPR. Purchased lists containing EU data are a violation, and it is unclear whether you can rely on “opt-out” for work-related EU data. The push is for all data to be clearly opt-in, and records must be kept on the details of how consent was given.

Consent under the GDPR can only be given for a specific purpose; it can no longer be bundled in with other types of consent. So, if you use a downloadable guide as a lead magnet, you cannot automatically add those people to a newsletter list or other drip campaign. Instead, you would need to specifically have them check a box indicating they gave that permission. Moreover, the box cannot be checked by default.

Children’s data are also protected in specific ways, and may require parental or guardian consent. Plus, they require consent to be requested in language a child can understand. In the B2B healthcare world, this may not seem to apply. However, consider a healthcare wearables company where a 12-year-old in the EU uses your product and goes to your website to download the app. If they have to give any data to do that, even if they just have their IP address tracked, that data is now protected by the GDPR.

Reverse IP tracking, a common part of many marketing automation packages, will now require consent.

Lead scoring, which constitutes profiling, now requires consent.

And, as the case with Honda showed, re-engagement programs cannot be used in the EU unless the person has recently opted in (in which case, why would you be running them through a re-engagement program?).

Your CRM can also put you at risk. Any sales calculations you make regarding the likelihood of a win now also require consent, as they, too, constitute profiling.

Your public relations model may also need to be adjusted, as you will need permission to reach out to editors and journalists.

Data Management

A key component of the GDPR is that people have the right to ask for their data, which you must be able to export for them in a commonly-used format. This requires you to maintain an audit trail so you can show how you are using their data, what you are using it for, and where you are using it.

In addition to the right to revoke consent and unsubscribe, people also have the “right to be forgotten.” This means that you must be able to erase their data completely from all your technology (not just your marketing automation).

For companies that store patient data (as opposed to prospect data), consent issues should be reviewed with your developers and an attorney. You are also responsible for protecting any data that you store for a 3rd party, including via shared servers. In addition, if you share data with another company and discover an inaccuracy in your data, you will need a way to update the other company’s records, as well as your own.

Keep in mind that, under the GDPR, individuals have a right to complain to the ICO if they think there is a problem with the data you hold on them.

Data Security

The GDPR also has specific requirements regarding data breaches. You will need a procedure in place to detect, report and investigate any personal data breach involving EU data.

What All Medical Vendors and Healthcare Tech Companies Should Do …

I give specific recommendations below for companies who work in the EU, as well as those who do not, but the following list applies to both groups. Remember, EU data may be in your database even if you do not work in the EU.

  • Consult with an attorney to see how you, specifically, might be impacted.
  • Contact your marketing automation platform and get details on how they handle GDPR.
  • Determine the geography of your database. Google Analytics and your marketing automation can help.
  • Review your full data stack – not just your marketing stack and see where there may be IP addresses or other personal data that has not been obtained by consent. This includes CRM data, social media data, ad data, lead scoring, Human Resources records, customer lists, contact details, and so forth. “Privacy by design” is required by the GDPR.
  • Check with your Public Relations team to ensure they are compliant in reaching out to editors and journalists in the EU.
  • Verify that your Sales team is not scraping lists together – at least, not of EU data.
  • Make sure your Unsubscribe function works; I remember one company whose email marketing software stopped reliably unsubscribing people. Unsubscribed people should not receive emails automatically or from the Sales team. A suppression list may prevent Unsubscribes from being added back into your marketing; consult with an attorney to see if this is an acceptable approach.

If your company DOES work in the EU …

If you work in the EU, you will need to take extensive action to ensure compliance with the GDPR. This includes:

  • Assign a Data Protection Officer to determine where you might be at risk. Their role can be as extensive as you need, depending on your involvement with EU data.
  • Determine your lawful basis for processing people’s data. See this information on GDPR lawful processing standards, which include:
    • Consent of the data subject
    • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
    • Processing is necessary for compliance with a legal obligation
    • Processing is necessary to protect the vital interests of a data subject or another person
    • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
    • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
  • Ensure you can completely remove all traces of someone’s data from your records.
  • Make sure you can supply data upon request, in a commonly used file format.
  • Create an audit trail of all your data.
  • Make sure you have the procedures in place to detect, report and investigate a personal data breach, including reporting it to the ICO.
  • Ensure you can prove positive opt-in for any EU data in your database, which is probably easier to do for everybody, rather than just the EU folks. Double opt-in is a good idea. Remember that positive opt-in means:
    • Cannot be inferred from silence, pre-ticked boxes or inactivity
    • No blanket consent – as in, “they got our white paper, they must want our newsletter.”
    • Consent must be separate from other terms/conditions they agree to
    • Easy to withdraw consent
    • Must be verifiable
    • All aspects of consent must be prominently placed – not hidden
  • Set up a preference center so people can subscribe/unsubscribe to different aspects of your outreach.
  • At trade shows, always get permission to email anyone; be specific as to what they are signing up for.
  • Stop collecting data you don’t really need and, as data must be kept current and accurate, do not keep data for longer than necessary.
  • Review re-engagement programs and ensure none go to anyone in the EU unless you have clear and provable consent.
  • Ensure your website privacy policy shows how you collect, store, and process data, as well as why you collect it. Review whether your circumstances warrant having a checkbox in any opt-in form where people must indicate they agree to the privacy policy.

If your company does NOT work in the EU …

In this case, you are unlikely to need contact data for anyone from the EU. Therefore, recommendations for you are:

  • Block or remove all those in your database from Europe.
  • Use automations to purge anyone from Europe before sending emails (or texts or chats or …).
  • Add “country” field to forms; make it required.
  • Use “country” to determine qualification as MQL or SQL; purge anyone from the EU.
  • If your marketing automation platform can infer “country,” regularly purge those presumed from Europe from your database.
  • Purge anyone from Europe from trade show scans or attendee lists.

Here’s the upshot on the GDPR for U.S. healthcare vendors …

Regardless of whether you do business in the EU, you may still have EU data in your database. Remember, HIPAA compliance is not sufficient to ensure GDPR compliance. Your best bet is to speak with an attorney, review your data and take action where potential risks or violations could occur.